4 * Copyright (c) 1998 by Gilbert Ramirez <gram@alumni.rice.edu>
6 * SPDX-License-Identifier: GPL-2.0-or-later
13 #include "file_wrappers.h"
17 * A file begins with a header containing:
19 * a 4-byte magic number, with 'c', 'p', 's', 'e';
21 * either a 2-byte little-endian "format indicator" (version number?),
22 * or a 1-byte major version number followed by a 1-byte minor version
23 * number, or a 1-byte "format indicator" followed by something else
24 * that's always been 0;
26 * a 2-byte 0xe8 0x03 (1000 - a data rate? megabits/second?)
28 * 4 bytes of 0x01 0x00 0x01 0x00;
30 * either a 4-byte little-endian file size followed by 0x00 0x00 0x00 0x00
31 * or an 8-byte little-endian file size;
33 * a 4-byte little-endian packet count (in dns_error_of_udp, it exceeds?)
35 * a 4-byte little-endian number?
37 * hex 2c 01 c8 00 00 00 da 36 00 00 00 00 00 00;
39 * the same 4-byte little-endian number as above (yes, misaligned);
43 * a bunch of 0s, up to an offset of 0x36d6;
47 * Following that is a sequence of { record offset block, up to 200 records }
50 * A record offset block has 1 byte with the value 0xfe, a sequence of
51 * up to 200 4-byte little-endian record offsets, and 4 or more bytes
52 * of unknown data, making the block 805 bytes long.
54 * The record offsets are offsets, from the beginning of the record offset
55 * block (i.e., from the 0xfe byte), of the records following the block.
58 /* Magic number in Capsa files. */
59 static const char capsa_magic[] = {
64 * Before each group of 200 or fewer records there's a block of frame
65 * offsets, giving the offsets, from the beginning of that block minus
66 * one(1), of the next N records.
68 #define N_RECORDS_PER_GROUP 200
70 /* Capsa (format indicator 1) record header. */
72 guint32 unknown1; /* low-order 32 bits of a number? */
73 guint32 unknown2; /* 0x00 0x00 0x00 0x00 */
74 guint32 timestamplo; /* low-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
75 guint32 timestamphi; /* high-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
76 guint16 rec_len; /* length of record */
77 guint16 incl_len; /* number of octets captured in file */
78 guint16 orig_len; /* actual length of packet */
79 guint16 unknown5; /* 0x00 0x00 */
80 guint8 count1; /* count1*4 bytes after unknown8 */
81 guint8 count2; /* count2*4 bytes after that */
82 guint16 unknown7; /* 0x01 0x10 */
83 guint32 unknown8; /* 0x00 0x00 0x00 0x00 or random numbers */
86 /* Packet Builder (format indicator 2) record header. */
88 guint16 rec_len; /* length of record */
89 guint16 incl_len; /* number of octets captured in file */
90 guint16 orig_len; /* actual length of packet */
95 guint32 timestamplo; /* low-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
96 guint32 timestamphi; /* high-order 32 bits of the time stamp, in microseconds since January 1, 1970, 00:00:00 UTC */
102 guint16 format_indicator;
103 guint32 number_of_frames;
106 guint32 record_offsets[N_RECORDS_PER_GROUP];
109 static gboolean capsa_read(wtap *wth, int *err, gchar **err_info,
110 gint64 *data_offset);
111 static gboolean capsa_seek_read(wtap *wth, gint64 seek_off,
112 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info);
113 static int capsa_read_packet(wtap *wth, FILE_T fh, wtap_rec *rec,
114 Buffer *buf, int *err, gchar **err_info);
116 wtap_open_return_val capsa_open(wtap *wth, int *err, gchar **err_info)
118 char magic[sizeof capsa_magic];
119 guint16 format_indicator;
120 int file_type_subtype;
121 guint32 number_of_frames;
124 /* Read in the string that should be at the start of a Capsa file */
125 if (!wtap_read_bytes(wth->fh, magic, sizeof magic, err, err_info)) {
126 if (*err != WTAP_ERR_SHORT_READ)
127 return WTAP_OPEN_ERROR;
128 return WTAP_OPEN_NOT_MINE;
131 if (memcmp(magic, capsa_magic, sizeof capsa_magic) != 0) {
132 return WTAP_OPEN_NOT_MINE;
135 /* Read the mysterious "format indicator" */
136 if (!wtap_read_bytes(wth->fh, &format_indicator, sizeof format_indicator,
138 return WTAP_OPEN_ERROR;
139 format_indicator = GUINT16_FROM_LE(format_indicator);
142 * Make sure it's a format we support.
144 switch (format_indicator) {
147 file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_COLASOFT_CAPSA;
150 case 2: /* Packet Builder */
151 file_type_subtype = WTAP_FILE_TYPE_SUBTYPE_COLASOFT_PACKET_BUILDER;
155 *err = WTAP_ERR_UNSUPPORTED;
156 *err_info = g_strdup_printf("capsa: format indicator %u unsupported",
158 return WTAP_OPEN_ERROR;
162 * Link speed, in megabytes/second?
164 if (!wtap_read_bytes(wth->fh, NULL, 2, err, err_info))
165 return WTAP_OPEN_ERROR;
168 * Flags of some sort? Four 1-byte numbers, two of which are 1
169 * and two of which are zero? Two 2-byte numbers or flag fields,
170 * both of which are 1?
172 if (!wtap_read_bytes(wth->fh, NULL, 4, err, err_info))
173 return WTAP_OPEN_ERROR;
176 * File size, in bytes.
178 if (!wtap_read_bytes(wth->fh, NULL, 4, err, err_info))
179 return WTAP_OPEN_ERROR;
182 * Zeroes? Or upper 4 bytes of file size?
184 if (!wtap_read_bytes(wth->fh, NULL, 4, err, err_info))
185 return WTAP_OPEN_ERROR;
190 if (!wtap_read_bytes(wth->fh, &number_of_frames, sizeof number_of_frames,
192 return WTAP_OPEN_ERROR;
193 number_of_frames = GUINT32_FROM_LE(number_of_frames);
196 * Skip past what we think is file header.
198 if (!file_seek(wth->fh, 0x44ef, SEEK_SET, err))
199 return WTAP_OPEN_ERROR;
201 wth->file_type_subtype = file_type_subtype;
202 capsa = (capsa_t *)g_malloc(sizeof(capsa_t));
203 capsa->format_indicator = format_indicator;
204 capsa->number_of_frames = number_of_frames;
205 capsa->frame_count = 0;
206 wth->priv = (void *)capsa;
207 wth->subtype_read = capsa_read;
208 wth->subtype_seek_read = capsa_seek_read;
210 * XXX - we've never seen a Wi-Fi Capsa capture, so we don't
211 * yet know how to handle them.
213 wth->file_encap = WTAP_ENCAP_ETHERNET;
214 wth->snapshot_length = 0; /* not available in header */
215 wth->file_tsprec = WTAP_TSPREC_USEC;
216 return WTAP_OPEN_MINE;
219 /* Read the next packet */
220 static gboolean capsa_read(wtap *wth, int *err, gchar **err_info,
223 capsa_t *capsa = (capsa_t *)wth->priv;
224 guint32 frame_within_block;
227 if (capsa->frame_count == capsa->number_of_frames) {
229 * No more frames left. Return an EOF.
234 frame_within_block = capsa->frame_count % N_RECORDS_PER_GROUP;
235 if (frame_within_block == 0) {
237 * Here's a record offset block.
238 * Get the offset of the block, and then skip the
241 capsa->base_offset = file_tell(wth->fh);
242 if (!wtap_read_bytes(wth->fh, NULL, 1, err, err_info))
246 * Now read the record offsets.
248 if (!wtap_read_bytes(wth->fh, &capsa->record_offsets,
249 sizeof capsa->record_offsets, err, err_info))
253 * And finish processing all 805 bytes by skipping
256 if (!wtap_read_bytes(wth->fh, NULL, 4, err, err_info))
260 *data_offset = capsa->base_offset +
261 GUINT32_FROM_LE(capsa->record_offsets[frame_within_block]);
262 if (!file_seek(wth->fh, *data_offset, SEEK_SET, err))
265 padbytes = capsa_read_packet(wth, wth->fh, &wth->rec,
266 wth->rec_data, err, err_info);
271 * Skip over the padding, if any.
274 if (!wtap_read_bytes(wth->fh, NULL, padbytes, err, err_info))
278 capsa->frame_count++;
284 capsa_seek_read(wtap *wth, gint64 seek_off,
285 wtap_rec *rec, Buffer *buf, int *err, gchar **err_info)
287 if (file_seek(wth->random_fh, seek_off, SEEK_SET, err) == -1)
290 if (capsa_read_packet(wth, wth->random_fh, rec, buf, err, err_info) == -1) {
292 *err = WTAP_ERR_SHORT_READ;
299 capsa_read_packet(wtap *wth, FILE_T fh, wtap_rec *rec,
300 Buffer *buf, int *err, gchar **err_info)
302 capsa_t *capsa = (capsa_t *)wth->priv;
303 struct capsarec_hdr capsarec_hdr;
304 struct pbrec_hdr pbrec_hdr;
311 /* Read record header. */
312 switch (capsa->format_indicator) {
315 if (!wtap_read_bytes_or_eof(fh, &capsarec_hdr,
316 sizeof capsarec_hdr, err, err_info))
318 rec_size = GUINT16_FROM_LE(capsarec_hdr.rec_len);
319 orig_size = GUINT16_FROM_LE(capsarec_hdr.orig_len);
320 packet_size = GUINT16_FROM_LE(capsarec_hdr.incl_len);
321 header_size = sizeof capsarec_hdr;
322 timestamp = (((guint64)GUINT32_FROM_LE(capsarec_hdr.timestamphi))<<32) + GUINT32_FROM_LE(capsarec_hdr.timestamplo);
325 * OK, the rest of this is variable-length.
326 * We skip: (count1+count2)*4 bytes.
327 * XXX - what is that? Measured statistics?
328 * Calculated statistics?
330 if (!wtap_read_bytes(fh, NULL,
331 (capsarec_hdr.count1 + capsarec_hdr.count2)*4,
334 header_size += (capsarec_hdr.count1 + capsarec_hdr.count2)*4;
338 if (!wtap_read_bytes_or_eof(fh, &pbrec_hdr,
339 sizeof pbrec_hdr, err, err_info))
341 rec_size = GUINT16_FROM_LE(pbrec_hdr.rec_len);
342 orig_size = GUINT16_FROM_LE(pbrec_hdr.orig_len);
343 packet_size = GUINT16_FROM_LE(pbrec_hdr.incl_len);
344 header_size = sizeof pbrec_hdr;
345 timestamp = (((guint64)GUINT32_FROM_LE(pbrec_hdr.timestamphi))<<32) + GUINT32_FROM_LE(pbrec_hdr.timestamplo);
347 * XXX - from the results of some conversions between
348 * Capsa format and pcap by Colasoft Packet Builder,
349 * I do not trust its conversion of time stamps (at
350 * least one of Colasoft's sample files, when
351 * converted to pcap format, has, as its time stamps,
352 * time stamps on the day after the conversion was
353 * done, which seems like more than just coincidence).
358 g_assert_not_reached();
359 *err = WTAP_ERR_INTERNAL;
362 if (orig_size > WTAP_MAX_PACKET_SIZE_STANDARD) {
364 * Probably a corrupt capture file; don't blow up trying
365 * to allocate space for an immensely-large packet.
367 *err = WTAP_ERR_BAD_FILE;
368 *err_info = g_strdup_printf("capsa: File has %u-byte original length, bigger than maximum of %u",
369 orig_size, WTAP_MAX_PACKET_SIZE_STANDARD);
372 if (packet_size > WTAP_MAX_PACKET_SIZE_STANDARD) {
374 * Probably a corrupt capture file; don't blow up trying
375 * to allocate space for an immensely-large packet.
377 *err = WTAP_ERR_BAD_FILE;
378 *err_info = g_strdup_printf("capsa: File has %u-byte packet, bigger than maximum of %u",
379 packet_size, WTAP_MAX_PACKET_SIZE_STANDARD);
382 if (header_size + packet_size > rec_size) {
384 * Probably a corrupt capture file.
386 *err = WTAP_ERR_BAD_FILE;
387 *err_info = g_strdup_printf("capsa: File has %u-byte packet with %u-byte record header, bigger than record size %u",
388 packet_size, header_size, rec_size);
393 * The "on the wire" record size always includes the CRC.
394 * If it's greater than the "captured" size by 4, then
395 * we subtract 4 from it, to reflect the way the "on the wire"
396 * record size works for other file formats.
398 if (orig_size == packet_size + 4)
399 orig_size = packet_size;
402 * We assume there's no FCS in this frame.
403 * XXX - is there ever one?
405 rec->rec_header.packet_header.pseudo_header.eth.fcs_len = 0;
407 rec->rec_type = REC_TYPE_PACKET;
408 rec->rec_header.packet_header.caplen = packet_size;
409 rec->rec_header.packet_header.len = orig_size;
410 rec->presence_flags = WTAP_HAS_CAP_LEN|WTAP_HAS_TS;
411 rec->ts.secs = (time_t)(timestamp / 1000000);
412 rec->ts.nsecs = ((int)(timestamp % 1000000))*1000;
415 * Read the packet data.
417 if (!wtap_read_packet_bytes(fh, buf, packet_size, err, err_info))
418 return -1; /* failed */
420 return rec_size - (header_size + packet_size);
424 * Editor modelines - http://www.wireshark.org/tools/modelines.html
429 * indent-tabs-mode: t
432 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
433 * :indentSize=8:tabSize=8:noTabs=false: